
CVE-2025-41663 – Weidmueller: Security routers IE-SR-2TX are affected by Command Injection
https://notcve.org/view.php?id=CVE-2025-41663
11 Jun 2025 — An unauthenticated remote attacker in a man-in-the-middle position can inject arbitrary commands in responses returned by WWH servers and gain arbitrary command execution with elevated privileges. • https://certvde.com/en/advisories/VDE-2025-052 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •

CVE-2025-41661 – Weidmueller: Security routers IE-SR-2TX are affected by CSRF
https://notcve.org/view.php?id=CVE-2025-41661
11 Jun 2025 — An unauthenticated remote attacker can execute arbitrary commands with root privileges on affected devices due to lack of Cross-Site Request Forgery (CSRF) protection in the Main Web Interface (endpoint event_mail_test). • https://certvde.com/en/advisories/VDE-2025-052 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVE-2025-41662 – Weidmueller: Security routers IE-SR-2TX are affected by Cross-Site Request Forgery
https://notcve.org/view.php?id=CVE-2025-41662
11 Jun 2025 — An unauthenticated remote attacker can execute arbitrary commands with root privileges on affected devices due to lack of Cross-Site Request Forgery (CSRF) protection in the Main Web Interface (endpoint tls_iotgen_setting). • https://certvde.com/en/advisories/VDE-2025-052 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVE-2025-41653 – Weidmueller: Denial-of-Service Vulnerability in the web server functionality of Industrial Ethernet Switches
https://notcve.org/view.php?id=CVE-2025-41653
27 May 2025 — An unauthenticated remote attacker can exploit a denial-of-service vulnerability in the device's web server functionality by sending a specially crafted HTTP request with a malicious header, potentially causing the server to crash or become unresponsive. • https://certvde.com/en/advisories/VDE-2025-044 • CWE-410: Insufficient Resource Pool •

CVE-2025-41652 – Weidmueller: Authentication Bypass Vulnerability in Industrial Ethernet Switches
https://notcve.org/view.php?id=CVE-2025-41652
27 May 2025 — The devices are vulnerable to an authentication bypass due to flaws in the authorization mechanism. An unauthenticated remote attacker could exploit this weakness by performing brute-force attacks to guess valid credentials or by using MD5 collision techniques to forge authentication hashes, potentially compromising the device. • https://certvde.com/en/advisories/VDE-2025-044 • CWE-656: Reliance on Security Through Obscurity •

CVE-2025-41651 – Weidmueller: Missing Authentication Vulnerability in Industrial Ethernet Switches
https://notcve.org/view.php?id=CVE-2025-41651
27 May 2025 — Due to missing authentication on a critical function of the devices an unauthenticated remote attacker can execute arbitrary commands, potentially enabling unauthorized upload or download of configuration files and leading to full system compromise. • https://certvde.com/en/advisories/VDE-2025-044 • CWE-306: Missing Authentication for Critical Function •

CVE-2025-41650 – Weidmueller: Denial-of-Service Vulnerability in Industrial Ethernet Switches
https://notcve.org/view.php?id=CVE-2025-41650
27 May 2025 — An unauthenticated remote attacker can exploit input validation in cmd services of the devices, allowing them to disrupt system operations and potentially cause a denial-of-service. • https://certvde.com/en/advisories/VDE-2025-044 • CWE-1287: Improper Validation of Specified Type of Input •

CVE-2025-41649 – Weidmueller: Out-of-Bounds Write Vulnerability in Industrial Ethernet Switches
https://notcve.org/view.php?id=CVE-2025-41649
27 May 2025 — An unauthenticated remote attacker can exploit insufficient input validation to write data beyond the bounds of a buffer, potentially leading to a denial-of-service condition for the devices. • https://certvde.com/en/advisories/VDE-2025-044 • CWE-787: Out-of-bounds Write •

CVE-2025-1393 – Weidmueller: Authentication Vulnerability due to Hard-coded Credentials
https://notcve.org/view.php?id=CVE-2025-1393
05 Mar 2025 — An unauthenticated remote attacker can use hard-coded credentials to gain full administration privileges on the affected product. Un atacante remoto no autenticado puede usar credenciales codificadas para obtener privilegios de administración completos en el producto afectado. • https://certvde.com/en/advisories/VDE-2025-021 • CWE-798: Use of Hard-coded Credentials •

CVE-2022-3073 – Quaonos Schema ST4 example templates prone to XSS
https://notcve.org/view.php?id=CVE-2022-3073
14 Dec 2022 — Quanos "SCHEMA ST4" example web templates in version Bootstrap 2019 v2/2021 v1/2022 v1/2022 SP1 v1 or below are prone to JavaScript injection allowing a remote attacker to hijack existing sessions to e.g. other web services in the same environment or execute scripts in the users browser environment. The affected script is '*-schema.js'. Las plantillas web de ejemplo "SCHEMA ST4" de Quanos en la versión Bootstrap 2019 v2/2021 v1/2022 v1/2022 SP1 v1 o inferior son propensas a la inyección de JavaScript, lo qu... • https://cert.vde.com/de/advisories/VDE-2022-056 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •